Heard back from Dropbox today. As promised, I'm posting their reply. If you
missed my original email to them it's online at http://jjjjj.us/92
================================================================================
Date: Wed, 22 Jun 2011 17:49:33 +0000
From: Ryan M - Dropbox Support
To: Forensication
Subject: [Dropbox Support] Re: Re: Important Dropbox Security Update - Please Read
Hi J,
We're sorry for this situation and regardless of how many people were
ultimately affected, any exposure at all is unacceptable to us. We will
continue to provide regular updates through our blog post linked here:
http://blog.dropbox.com/?p=821.
Our records show that the following IP address was logged during the time
period:
XX.XXX.X.XXX
This IP address has since not logged into your account and I can also confirm
that no hosts were linked to your account nor was your password compromised.
If there is anything further I can do to assist, please be sure to let me know.
Regards,
Ryan
================================================================================
Although I was glad to see that the IP listed was one of my own and that machine
did briefly connect to their systems during that time period, I fail to see how
they can confirm that my password was not compromised - they really can't prove
or disprove that to be the case, can they? . Additionally, they failed to answer
the really important question: Were any files downloaded via the web interface.
I have since moved almost everything out of Dropbox's systems, have hit the
'permanently delete' button on the files and am now using rsync+ssh+key on my
own servers to do what Dropbox was doing before.
In light of the paper released by sba-research (PDF at http://jjjjj.us/96)
highlighting the swiss-cheese-security of cloud-based storage, I'd say I made the
right decision.